3 min read

Restaurant Cybersecurity: Costly Risks for Restaurant Owners

Four smiling friends at an outdoor restaurant clinking pints of beer. Restaurant cybersecurity.

A lot of things need to go right in order for your restaurant to succeed. You need a solid business plan, adequate financing, a budget, a tax plan, permits, great staff, a great location, great food, reasonable prices, and a plan to keep customers coming through the doors. And you could put all those pieces in place and still lose everything because of a lack of restaurant cybersecurity. 

Cybersecurity has become a vital part of operating any kind of successful business, and restaurants are particularly vulnerable. The nature of the industry creates all sorts of opportunities for fraudsters to steal from restaurants and their customers. It is essential for owners to build restaurant cybersecurity measures into their operating costs and training processes, and stay current with the top threats. The success of your long-term business goals hinges on your ability to keep your data secure. 

How Could Restaurant Cybersecurity Affect Your Bottom Line? 

A single cyberattack can be ruinous in an industry that already operates on thin margins. The average hospitality industry data breach cost nearly $3 million in 2022, per IBM Security’s annual report. Even if a cybersecurity attack in your restaurant is below the average  $3M, it could cost you tens of thousands of dollars in security upgrades, fees, and lost business in the first weeks after the event alone; which can be hard for a small restaurant to weather. 

Then there’s the damage to your reputation. Any data breach that involves customer data is bound to become public knowledge, especially if it rises to the level that requires your restaurant to inform everyone whose data was exposed. Even if customer data isn’t affected by a cyberattack, any kind of security breach could make customers think twice about trusting you with their credit cards. It only takes one person posting on your restaurant’s social media about a security issue for the word to spread and for business to drop. 

Common Restaurant Cybersecurity Vulnerabilities in 2023

Obviously, consulting tech security professionals is the best way for your restaurant to make sure all the proper cybersecurity/fraud prevention procedures are in place and that you and your staff are trained on how to use them correctly. In the meantime, stay vigilant about some of the most common tactics cybercriminals use to target restaurants. Here’s a quick overview of three common kinds of cyber fraud. 

Payment fraud: Payment fraud has always been a costly problem for restaurants, with the liability for chargebacks and fraudulent payments made with magnetic-strip cards falling on merchants. Contactless payment has changed the way criminals can and can’t steal from restaurants. The rise of EMV (chip) cards benefits restaurants since merchants aren’t liable for fraudulent purchases made with these cards. But, not all restaurants have the budget to upgrade to card readers that process contactless payments in person.

Restaurants that accept contactless payments online are also highly vulnerable to cyberattacks, including card skimming and card testing. Just last year, it was reported that online ordering systems for more than 300 restaurants were infected with “e-skimming” code that allowed hackers to steal data from customer transactions. (Card testing occurs when criminals try to make small purchases using stolen card numbers to determine which ones work so they can then make bigger purchases elsewhere.) 

Handheld POS systems: Has your restaurant transitioned to handheld POS systems yet? As well as speeding up payments and table turnover, they can help eliminate internal fraud by allowing servers to run diners’ cards table-side. There’s no chance of a server stealing a customer’s card information when they don’t have any private access to cards. 

But like traditional POS systems, handheld POS systems are still vulnerable to data breaches. POS systems can be infected with malware that allows hackers to access credit card data. They can also be stolen easily if staff members aren’t being attentive.  

QR code fraud: QR codes became nearly ubiquitous for restaurants early in the pandemic when minimizing contact was critical. A lot of diners are now accustomed to scanning QR codes to access a restaurant’s menu or website and don’t think twice before pulling up their phone cameras. And using QR codes can benefit restaurants in various ways, like cutting down on menu costs and creating an opportunity for customers to opt-in to the restaurant’s mailing list.  

Naturally, fraudsters have exploited this trend by tricking people into scanning QR codes that do things like download malware onto their phones. This scam can be carried out in a very subtle, low-tech way. The FBI issued a press release saying that scammers have been known to paste their own malicious QR code stickers over legitimate ones. In a busy restaurant where QR code table tents are set up on every table, it could be easy for someone to discreetly cover some of them with stickers. 

If your restaurant does use QR codes on tables and in signage, train staff to monitor them often for signs of tampering and to immediately report any issues customers have with your QR codes. Knowing that some customers will be wary of QR fraud, keep paper versions of menus available. 

Concerned About Cybersecurity and the Future of Your Restaurant?

Restaurant cybersecurity probably isn’t something you’re qualified to manage on your own. There’s no substitute for bringing in qualified IT professionals who can assess your vulnerabilities and ensure all your restaurant’s technology is protected with layers of security.The business consultants at Sachetta, LLC can’t help you patch any holes in your POS system, but we can help you look at how restaurant cybersecurity is going to factor into your budget and plans going forward. Ensuring you’re spending enough (but not too much) on cybersecurity is going to be an important part of keeping your restaurant open long-term. Contact us today. 

Georgios Liakakis, CPA, MSA is a Certified Public Accountant and holds a Master’s Degree in Accounting from the University of Massachusetts Lowell. He joined our team in 2016 and focuses on both business and individual taxation.